The rapid rise of cyber insurance in India's expanding digital landscape
The threat of cyber-attacks is nothing new, but ransomware is proving far more effective at generating revenue than ever before. This has pushed businesses to seek insurance for some protection from the large ransoms. As demand for cyber insurance has surged to unprecedented levels, the market has become highly volatile. Premiums are increasing, there are some stringent rules about what is and isn’t covered, and minimum standards have been introduced for businesses that want to be insured.
While this might initially seem like bad news for businesses, many should ultimately see these as positive developments. The rise in standards and clearer guidelines can lead to better-prepared businesses and potentially fewer successful attacks. However, this growth has made countries, including India, attractive targets for cybercriminals and hackers, leading to a rise in cyber-attacks.
Consequently, businesses are increasingly turning to cyber insurance to mitigate the substantial financial impacts of these attacks, driving the rapid growth of the cyber insurance market in India.
Sectors such as IT, pharma, and manufacturing that make a considerable contribution to the India’s economic growth and development are heavily involved in digitisation, compelling them to be the early adopters of cyber insurance.
Insurance for the digital world
When it comes to cybersecurity, people tend to conjure up a dark enigmatic realm, but in actuality, the physical and digital worlds are quite similar. Years ago, assets that Indian businesses deemed critical and worthy of being insured would just be confined to tangible assets like goods in warehouses, furniture, vehicles etc. According to industry reports, three out of four organizations suffered at least one ransomware attack in the last year, with one out of those four being attacked more than four times in that period.
Unsurprisingly, 70% of the businesses have demonstrated their willingness to increase spending on securing their digital infrastructure over the next three years. Notably, mid-sized firms evinced a heightened willingness to augment their spending to fortify their digital infrastructure. Conversely, some leading companies in the consumer sector, which manage large consumer databases, took a circumspect approach towards increasing their digital infrastructure budgets. However, they did express interest in enhancing their insurance coverage.
Don’t feed the criminals
Cyber insurance has become a contentious topic recently, and this mostly comes down to the million-dollar question with ransomware: to pay or not to pay? While many refute the idea that insured companies are more likely to pay ransoms, a 2023 Deloitte report of victims found that 77% of ransoms were paid by insurance. However, many insurers are trying to put a stop to this. As per the Veeam Ransomware Trends 2024, 73% of their organizations experienced an increase in their premiums.
Paying ransoms isn’t a good idea and isn’t what insurance should be used for. It’s not just a question of ethics and fuelling more crime, but the fact that paying the ransom doesn’t immediately solve the problem - and often creates new ones. Firstly, ransomware gangs will ‘mark’ companies who pay so they can return for seconds or share this information with other gangs.
It is so because paying ransom emboldens miscreant hackers. But even before you get to this point, recovering via ransom payment is rarely plain sailing. It takes a long time to recover with the decryption keys provided by the attackers - this is often intentional as some groups will charge per key to speed up the process. This is if decryption even works - one in five businesses pay ransoms and are left unable to recover their data.
Raising standards
So, paying ransoms via insurance money is, thankfully, slowly dying out. But that’s not the only thing that’s changed. Companies in need of cyber insurance are increasingly required to meet minimum security and ransomware resilience standards. This can include using encrypted and immutable backups and implementing best practice data protection principles like least privilege (only giving access to those who need it) or four-eyes (requiring significant changes or requests to be approved by two people). Some policies also require businesses to have robust plans to ensure system availability, including well-defined disaster recovery processes to prevent downtime from a ransomware attack. After all, the longer an environment is out of action, the higher the cost of downtime and, with it, the insurance claim cost.
Enterprises should have all of these things in place anyway. If there is only insurance alongside flimsy data protection and recovery processes, insurance payouts will just roll over the cracks. The introduction of minimum standards is good news for businesses. Not only will it push the cost of premiums down in the long run, but the security principles they dictate will be more valuable to businesses than the insurance was to begin with.
Cyber insurance is not a silver bullet but can be a beneficial element of a wider cyber resilience strategy. Both are nice to have, but if you could only have one, resilience is the pick every time. Fortunately, insurers agree, as unprotected businesses are becoming too unprofitable to cover.
Cyber insurance, particularly around ransomware, is moving towards a world where insured businesses have strong cyber resilience, and well-defined disaster recovery plans, and only use insurance to mitigate the impact of attacks and the cost of downtime while they recover via immutable backups. This is a world that is far more resilient to ransomware than the one where businesses throw insurance money at the problem.
(The article has been co-authored by Edwin Weijdema, Field CTO & Lead Cybersecurity Technologist)
Sandeep Bhambure
Sandeep Bhambure is Vice President and Managing Director, India & SAARC at Veeam Software.